PDF (US Ltr)
- 218.2Kb
PDF (A4)
- 218.8Kb
The validate_password component serves to test
user-specified passwords and improve security. The component
exposes a set of system variables that enable you to define a
password policy.
The component implements two capabilities:
In statements that assign a password supplied as a cleartext value, the component checks the password against the current password policy and rejects the password if it is weak. This affects the
ALTER USER,CREATE USER, andSET PASSWORDstatements.The
VALIDATE_PASSWORD_STRENGTH()SQL function assesses the strength of potential passwords. The function takes a password argument and returns an integer from 0 (weak) to 100 (strong).
The validate_password component provides three
levels of password checking: LOW,
MEDIUM, and STRONG. The
default is MEDIUM; controlled by the
validate_password.policy system
variable. The policies implement increasingly strict password
tests.
The
LOWpolicy tests password length only. Passwords must be at least 8 characters long. To change this length, modifyvalidate_password.length.The
MEDIUMpolicy adds the conditions that passwords must contain at least 1 numeric character, 1 lowercase character, 1 uppercase character, and 1 special (nonalphanumeric) character. To change these values, modifyvalidate_password.number_count,validate_password.mixed_case_count, andvalidate_password.special_char_count.The
STRONGpolicy adds the condition that password substrings of length 4 or longer must not match words in the dictionary file, if one has been specified. To specify the dictionary file, modifyvalidate_password.dictionary_file.
In addition, the validate_password component
can reject passwords that match the user name part of the
effective user account for the current session, either forward or
in reverse. To provide control over this capability,
validate_password exposes a
validate_password.check_user_name
system variable, which is enabled by default.
To install and configure the password validation component:
-
Ensure that the
validate_passwordcomponent library file is located in the MySQL plugin directory.$> cd /path/to/mysql/lib/plugin/ $> ls component_v* component_validate_password.soEnsure that the
plugin_diris set to the server the MySQL plugin directory.mysql> SELECT @@plugin_dir; +--------------------------------------------+ | @@plugin_dir | +--------------------------------------------+ | /path/to/mysql/lib/plugin/ | +--------------------------------------------+Install the
validate_passwordcomponent using theINSTALL COMPONENTstatement:mysql> INSTALL COMPONENT 'file://component_validate_password';Component installation is a one-time operation that need not be done per server startup.
INSTALL COMPONENTloads the component, and also registers it in themysql.componentsystem table to cause it to be loaded during subsequent server startups. -
Add these options under the
[mysqld]option group in the MySQL configuration file (/etc/my.cnf) so that you can adjust them as necessary. The default values are used in this deployment.validate_password.policy=1 validate_password.length=8 validate_password.number_count=1 validate_password.mixed_case_count=1 validate_password.special_char_count=1 validate_password.check_user_name=1-
validate_password.policy=1The password policy enforced by
validate_password. A value of 1 isMEDIUM. By default, theMEDIUMpolicy specifies that passwords must be at least 8 characters long, contain at least 1 numeric character, 1 lowercase character, 1 uppercase character, and 1 special (nonalphanumeric) character. 1 (MEDIUM) is the default setting. -
validate_password.length=8The minimum number of characters that
validate_passwordrequires passwords to have. -
validate_password.number_count=1The minimum number of lowercase and uppercase characters that
validate_passwordrequires passwords to have if the password policy isMEDIUMor stronger. -
validate_password.mixed_case_count=1The minimum number of numeric (digit) characters that
validate_passwordrequires passwords to have if the password policy isMEDIUMor stronger. -
validate_password.special_char_count=1The minimum number of nonalphanumeric characters that
validate_passwordrequires passwords to have if the password policy isMEDIUMor stronger. -
validate_password.check_user_name=1Rejects passwords that match the user name part of the effective user account for the current session, either forward or in reverse.
Notevalidate_password.dictionary_fileis not used in this deployment. By default, this variable has an empty value and dictionary checks are not performed. For the dictionary file to be used during password checking, the password policy must be set to 2 (STRONG); see the description of thevalidate_password.policysystem variable for more information. -
-
To verify component installation, query the
mysql.componenttable:$> cd /usr/local/mysql $> bin/mysqladmin -u root -p version Enter password: (enter root password here)mysql> SELECT * FROM mysql.component; +--------------+--------------------+------------------------------------+ | component_id | component_group_id | component_urn | +--------------+--------------------+------------------------------------+ | 1 | 1 | file://component_validate_password | +--------------+--------------------+------------------------------------+ -
To verify that the password validation component works, attempt to create a user with a non-compliant password:
mysql> CREATE USER 'bob.smith'@'localhost' IDENTIFIED BY 'abc'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
Note
The policy that the validate_password
component implements has no effect on generated passwords. The
purpose of a validate_password policy is to
help humans create better passwords.
For more information about the
validate_password component, see
The Password Validation Component.